我正在尝试使用nxlog来解析IIS文件并创建一个JSON输出,以便稍后将其推送到logstash
然而,我得到的只是文件中的原始数据,而不是我所期望的格式化输出。 https://github.com/StephenHynes7/confs/blob/master/windows_iis_JSON/nxlog-iis.conf
这是我的配置文件
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT D:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
# Select the input folder where logs will be scanned
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
# Uncomment Extension w3c for IIS logging
<Extension w3c>
Module xm_csv
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-cookie, $cs-referrer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, integer, integer, integer, integer, integer, integer
Delimiter ' '
UndefValue -
QuoteChar '"'
EscapeControl FALSE
</Extension>
<Input iis_logs>
Module im_file
File "C:\\Resources\\Directory\\\\u_ex*.log"
ReadFromLast True
Recursive True
SavePos True
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$Message = to_json(); \
}
</Input>
<Output debug>
Module om_file
File "C:\\nxlog-debug.txt"
</Output>
<Route 1>
Path iis_logs => debug
</Route>
和我的输出(不是json)
2015-09-05 07:42:00 W3SVC1273337584 ****** *.*.*.* GET / - 443 - *.*.*.* HTTP/1.1 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - - *.*.*.* 403 14 0 5530 258 31
2015-09-05 07:42:00 W3SVC1273337584 ****** *.*.*.* GET / - 443 - *.*.*.* HTTP/1.1 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - - *.*.*.* 403 14 0 5530 258 16
2015-09-05 07:53:05 W3SVC1273337584 ****** *.*.*.* GET / - 443 - *.*.*.* HTTP/1.1 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - - *.*.*.* 403 14 0 5530 258 31
2015-09-05 07:53:06 W3SVC1273337584 ****** *.*.*.* GET / - 443 - *.*.*.* HTTP/1.1 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - - *.*.*.* 403 14 0 5530 258 31
我认为我很接近,但我错过了什么?
答案 0 :(得分:2)
om_file 将 $ raw_event 写入输出,并丢弃所有其他字段,包括 $ Message 。所以你需要
$raw_event = to_json();
或只是
to_json();
这两者是等价的。